Tailscale creates a peer-to-peer mesh VPN using the WireGuard protocol. Unlike traditional VPNs that route all traffic through a central server, Tailscale devices connect directly to each other using NAT traversal โ the same technology that lets two people in different countries video-call without either side configuring their router. When direct connection isn't possible (e.g., strict firewalls), Tailscale falls back to encrypted relay servers (DERP servers) automatically.
Each device gets a stable 100.x.x.x IP address and a DNS hostname via MagicDNS (e.g., my-mac.tail1234.ts.net). These addresses never change even when you switch networks. You access your Mac at my-mac from your phone, laptop, or any other Tailscale device โ from anywhere in the world, with no firewall rules or port-forwarding configured.
The free tier supports 100 devices.
What you'll accomplish
A Tailscale network (called a "tailnet") connecting your Mac to your other devices. You'll be able to SSH into your Mac from anywhere using its stable Tailscale hostname, and expose your local Ollama API securely to your other Tailscale devices without opening any firewall ports.
What to know before starting
WireGuard: A modern VPN protocol โ faster than OpenVPN, uses a smaller codebase (4,000 lines vs 400,000 for OpenVPN), and is built into the Linux kernel and macOS Network Extension framework. Tailscale uses WireGuard for the actual encryption.
NAT traversal: Your home router uses NAT to let multiple devices share one public IP. Tailscale "punches holes" through NAT using STUN โ it gets both devices to contact a coordination server simultaneously, establishing a direct path. This works without any router configuration.
MagicDNS: Tailscale's built-in DNS that maps device names to their Tailscale IPs. When you SSH to `my-mac`, Tailscale resolves this to `100.x.x.x` automatically โ no `/etc/hosts` entries needed.
Exit nodes: A Tailscale device configured as an exit node routes all internet traffic from other devices through itself. Useful for privacy or accessing geo-restricted content. Note: this routes ALL your traffic, not just traffic to the exit node device.
ACLs: Access control lists in the Tailscale admin console define which devices can communicate with which other devices on your tailnet. By default, all devices on your tailnet can reach each other.
Prerequisites
โข macOS 10.13+
โข A Tailscale account (free tier at tailscale.com โ sign up with Google, Microsoft, or GitHub)
โข Internet connection during setup (not needed during use once connected)
Time & risk
Duration:: 5 minutes
Risk level:: None โ uninstalling Tailscale removes the network extension completely and all changes are reversed